The so-called blind SQL injection vulnerability was discovered by Ryan Dewhurst, a security researcher and co-developer of the WPScan vulnerability scanner. The flaw affects versions 1.7.3.3 and older of WordPress SEO by Yoast.

In theory, exploiting the flaw requires authentication. However, since there is no cross-site request forgery (CSRF) protection, an attacker could exploit the flaw by tricking an authenticated user—like an administrator, editor or author—to click on a specially crafted link or to visit a malicious page, Dewhurst said in an advisory.

A CSRF attack involves forcing a user’s browser to execute an unauthorized action on a third-party website when that user visits a Web page controlled by an attacker. Websites must implement special protection mechanisms to prevent such attacks.

The free WordPress SEO plug-in has been downloaded over 14.2 million times. According to official WordPress statistics, it has over 1 million active installations, making it not just one of the most popular plug-ins for search engine optimization (SEO), but one of the most popular WordPress plug-ins overall.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.